[strongSwan] L2TP/IPsec on FreeBSD 10 and a Windows 7 Client behind NAT

Martin Willi martin at strongswan.org
Fri Sep 19 10:41:10 CEST 2014


Hi,

> I can connect to this L2TP/IPsec setup using Mac OS X 10.6 to 10.9,
> and iOS 7 clients sitting behind a NAT. A Windows 7 client from behind
> the same NAT establishes successful the IPsec connection to the
> server, ie. the SPD's and SAD's look almost identical to those created
> for the Apple clients, but the traffic does not arrive on
> 11.11.11.11[udp1701].

Using L2TP/IPsec over NAT is very problematic, and IMHO broken by
design. Having multiple clients behind the same NAT does not work
without quirks. You'd have to somehow bind your L2TP session to a
specific IPsec SA, but we don't bring any specific support for that (nor
does ipsec-tools, AFAIK).

> ipsec-tools do have a hell a lot of NAT-T issues, and I desperately
> want to move to another system. strongSwan serves perfectly well any
> Apple client sitting behind a NAT (even a multitude of clients behind
> the same NAT, wow!!!).

All I can recommend is to not switch to "another system", but to a sane
protocol. Windows 7 has a well working native IKEv2 IPsec client, which
interoperates just fine with strongSwan [1]. On OS X you can use the
native IKEv1 client, or try our IKEv2 strongSwan App [2].

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
[2]https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX#Native-application



More information about the Users mailing list